How to check if a link is safe before you click

A link is the easiest way for a scammer to reach you. One tap can open a page that steals your login, asks for card details, or quietly downloads malware. The good news is that you can check where a link actually goes before you click it.

This guide shows you how to preview a link, read the real destination, and spot the tricks that make a bad link look safe. You can also paste the destination into our free check to see if it is flagged, all without loading the page.

Check any website now

Paste an address for a free safety check: encryption, malware and phishing, domain age and more.

Preview where a link goes first

The single most useful habit is to look at the real destination before you click. On a computer, hover your mouse over the link without clicking and the true web address appears, usually in the bottom corner of the browser or email window. On a phone, press and hold the link for a moment and a preview of the address pops up so you can read it and then cancel.

The visible text of a link means nothing. A link can say www.yourbank.com while actually pointing somewhere else entirely. Trust the address you preview, not the words you were shown.

Read the domain right to left

The part that tells you who really owns a link is the domain, and the safest way to read it is right to left. Find the last two parts before the first single slash. In secure.paypal.com the owner is paypal.com. In paypal.brand-security.example.com the owner is example.com, and the familiar name has just been added as a prefix to reassure you.

Watch for lookalike and typosquat tricks: a number swapped for a letter such as paypa1.com, an extra word like paypal-support.com, or an unusual ending. If the real owner is not the company you expected, do not click.

Tricks scammers use with URLs

Shortened links

Shorteners hide the real destination behind a short code. If you cannot see where a link leads and did not expect it, treat it with caution.

Lookalike domains

Letters swapped for numbers, extra hyphens, or a trusted name used as a prefix. They rely on you reading quickly.

Unexpected messages

Urgent texts or emails about a delivery, refund or account problem, pushing you to click before you think.

Display text that lies

The words in a link can show one address while the link points to another. Always preview the real target.

Check the destination safely

  1. 1.Hover on a computer, or press and hold on a phone, to preview the real web address.
  2. 2.Read the domain right to left and confirm the owner is who you expected.
  3. 3.If it is a shortened link, do not click. Try to reveal the full address first.
  4. 4.Copy the destination domain and run it through our free safety check to see if it is flagged, without loading the page.
  5. 5.If the message was unexpected, ignore the link and reach the company through their official app or a web address you type yourself.

When in doubt, do not click

No message is so urgent that you cannot take a moment to check. Banks, couriers and payment services do not need you to click a link in a hurry, and a real account issue will still be there when you log in the normal way. If a link makes you feel rushed, that pressure is itself a warning sign.

When you are unsure, go to the source directly. Type the web address yourself or open the official app, rather than trusting a link someone sent you.

Frequently asked questions

How do I check a link without clicking it?

On a computer, hover your mouse over the link and read the real web address that appears at the bottom of the window. On a phone, press and hold the link to see a preview. To go further, copy the destination domain and paste it into our free safety check, which tells you if it is flagged without loading the page.

Are shortened links safe?

Not necessarily. A shortener hides the true destination behind a short code, which is convenient but also useful to scammers. Shortened links are common and often fine, but if you did not expect the message or cannot see where the link leads, treat it with caution and check the destination before clicking.

How can I tell if a link is a fake version of a real site?

Read the domain right to left and find the real owner, which is the last two parts before the first single slash. Watch for letters swapped for numbers, extra words or hyphens, and trusted names used only as a prefix. If the owner is not the company you expected, the link is likely fake.

What should I do if I already clicked a bad link?

Do not enter any details on the page and close it. If you typed a password or card number, change that password straight away and contact your bank if payment details were involved. Run a security scan on your device, and keep an eye on the affected accounts for anything unusual.

Is it safe to click links in emails and text messages?

Links in messages you expected, from senders you trust, are usually fine once you have previewed the destination. The risk is with unexpected messages, especially ones creating urgency. When in doubt, ignore the link and reach the company through their official app or a web address you type yourself.

Related guides

Not sure about a site? Check it in seconds.

Free, anonymous, and no signup. Know before you buy.

Run a free safety check